Method and system for detecting characteristics of a wireless network

ABSTRACT

Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.

BACKGROUND

1. Field

The present invention relates generally to network security techniques,and more specifically to detecting characteristics of devicescommunicating in data networks employing wireless local area network(WLAN) technology.

2. Background

The Institute for Electrical and Electronic Engineers approved the“Standard For Information Technology; Telecommunications and informationexchange between systems-Local and Metropolitan networks-Specificrequirements; Part 11: Wireless LAN Medium Access Control (MAC) andPhysical Layer (PHY) specifications: Higher speed Physical Layer (PHY)extension in the 2.4 GHz band” (known as 802.11b) for the development ofproducts to allow computers and other devices to connect to wired LocalArea Network (LAN) segments not with wires, but by using radio-basednetwork interface cards (NICs) working in the public 2.4 GHz range. Suchwireless access to a wired LAN is often referred to as a wirelessnetwork.

As a result of the 802.11 standard, many network products were developedthat provide access points that are wired into a LAN segment and provideaccess to the network for the wireless client computers using theseradio-based NICs. Because wireless connectivity can span outside thephysical control of a building, the current physical security measuresthat attempt to prevent unauthorized access to a LAN are no longereffective. By using a Service Set Identifier (SSID), only those attemptsto access the wireless network that use the same SSID on the clientcards as is on the access point will connect. The SSID does not providesecurity, however, only identification. The SSID is sent in anunprotected fashion by both the access point and the clients, and can beeasily captured and exploited.

Security measures were incorporated into the 802.11b protocol, includingWired Equivalent Privacy (WEP) data encryption and shared secretpasswords. The shared secret passwords provide limited protection andare rarely used. WEP relies on a shared password used by the accesspoint and the clients to encrypt the payload data of the transmission,but does not encrypt the header and other information about thecommunication. Further, WEP was developed before the export restrictionswere lifted on encrypted algorithms. Because of this, WEP was onlydesigned to use 40 bit keys and was not cryptographically complex. Afterthe export restrictions were lifted, a 104-bit version was implemented.Unfortunately, this “stronger” version still used a flawed cryptoimplementation. It was not long before white papers were writtendescribing how the WEP key could be broken. Soon after that, productsappeared that could assist in breaking WEP.

The use of 802.11x wireless networks (where 802.11x refers to any of the802.11 standards that define wireless protocols, including, for example,802.11b and the recently released 802.11a) has grown significantly.This, coupled with the availability of low cost equipment in theconsumer market, has raised many questions for IT departmentadministrators about whether or not to implement a wireless network,and, if so, how to implement one. Many computer security policies likelypreclude the utilization of any wireless network tied into the mainnetwork wiring. Others allow limited use for the convenience of theiremployees, but dictate strict security settings.

Contrasting this, certain industries necessitate the deployment ofwireless networks. For instance, the sheer size and topology of anovernight package delivery company such as Federal Express requires theuse of handheld wireless nodes in their day-to-day operations.Typically, most early wireless networks employed by companies such asthis were proprietary. But due to the increase in available hardware andsoftware, and due to the increased performance and ease to which 802.11xnetworks can be integrated into existing IT infrastructures, manycompanies such as Federal Express are switching to the commerciallyavailable systems.

In most situations, wireless breaches of wired networks go unnoticed.Unlike the plethora of security devices/services available for the wirednetwork infrastructure few tools exist for the system administrator todetect wireless intrusions.

One security issue with wireless networks is the fact that it isinexpensive and easy to install a new wireless access point onto anexisting wired network. This could open an otherwise secure network tooutsiders. Many current wireless intrusion detection products work bymonitoring the wired network for access points. This requires their useon every separate segment of the network, since each separate networksegment would need to be monitored individually. Also, current solutionsdo not identify any client machines that are attempting to access thewireless LAN.

A second security issue involves locating wireless access devices(particularly unapproved ones) within a wireless network. A wirelessaccess device can include any wireless device that can provide access toa network, including a wireless access point or wireless client.Traditionally, locating the source of radio signals, such as thoseemitted by a wireless access device, utilizes a TDF (Time/Distance Fix)approach that requires listening stations at known points in space, andthe application of a timestamp and direction for a given radiotransmission. This requires that all listening stations have directionalantennas and highly accurate clocks that are synchronized to the otherlistening stations. These components of the solution are prohibitive inan office environment. Furthermore, the directional antennas are moreexpensive than their omni-directional counterparts. The use ofdirectional antennas also implies that complete coverage of a given areacan only be achieved with a greater number of listening stations than ifomni-directional antennas where used. Lastly, the requirements for theaccuracy and synchronization of the clocks increases as the range to thetarget decreases. Since an 802.11 wireless access device has a range ofonly several hundred feet, highly accurate and well-synchronized clocksare required, further increasing the expense of any potential solutions.

A third security issue involves early and accurate detection of possiblyhighly sophisticated network intrusions, such as spoofing. Traditionalintrusion detection system (IDS) solutions attempt to capture and storenetwork packets as quickly as possible for the purpose of attackdetection, anomaly detection, and event correlation. This typicallyrequires high bandwidth connections to the observed network, fastinstruction processing, and large storage capacity.

When applied to wireless networks, the same problems exist. Atraditional approach to intrusion detection involving 802.11 wouldrequire packets to be captured as quickly as a radio receiver couldreceive them. In addition, 802.11 networks operate on multiple channels,each of which must be observed separately. Thus, in order to observe allcurrent 802.11b channels (of which there are 14), 14 different observingradios would be required. In addition to being cost prohibitive, powerconsumption and processing capabilities become greater issues.

There is therefore a need in the art for a wireless intrusion detectionsystem and method that overcomes the above problems by providing anon-intrusive, robust, and transparent wireless intrusion detectioncapability that allows a wireless access device to be located within awireless network and quickly and accurately identifies intrusions intothe wireless network.

SUMMARY

In accordance with the present invention, a wireless intrusion detectionsystem (WIDS) and method performs monitoring of wireless networks(including at least one wireless network being protected, known as thewireless network of interest), stores the results of that monitoring,processes the results to determine whether any unauthorized access ofthe wireless network of interest has occurred, detects characteristicsof the wireless network and notifies users of the results and theprocessing. Furthermore, the WID system includes one or more WIDS nodes(which may include at least one primary WIDS node) for monitoring aparticular geographic area, and a WIDS collector for collecting from theWIDS nodes the information monitored by all of the WIDS nodes. In anembodiment, the WID system can detect characteristics of the wirelessnetwork or of wireless access devices. Such characteristics can includethe state in which a particular wireless access device is operating andthe type of wireless network (which can include, for example, either aninfrastructure network or an ad hoc network). Information about anetwork collected by a WIDS can include tracking of authorized andunauthorized access points and clients, locating any unauthorizedwireless access devices, determining the status of any authorized accesspoints, determining whether any authorized access points have changed,determining whether any authorized access points are not operating,identifying any denial of service (DoS) attempts, tracking of multipleconnection attempts to the wireless network by any unauthorized wirelessaccess devices, tracking how long any unauthorized wireless accessdevice has attempted to access the wireless network, and identifyingattempts to spoof an authorized access point. In an embodiment, thelocation of a wireless access device is determined by measuring adistance between a node and the wireless access device, measuring asecond distance between another node and the wireless access device,determining an area based on the distance measurements, and determiningan approximate location based on the intersection of those areas.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a wireless network containing a WID systemaccording to the present invention.

FIG. 2 is a hardware block diagram of a WIDS collector.

FIG. 3 is a hardware block diagram of a WIDS node.

FIG. 4 is a diagram of an approximation band around a WIDS node.

FIG. 5 is a diagram of approximation bands around multiple WIDS node.

FIG. 6 is a state transition diagram of a client in an infrastructurewireless network.

FIG. 7 is a state transition diagram of a client in an ad hoc wirelessnetwork.

FIG. 8 is a state transition table at a WIDS node.

FIG. 9 depicts the schema of a back end database in a WID system.

FIG. 10 is a depiction of a web page structure for an implementation ofa user interface to a WID system.

DETAILED DESCRIPTION

FIG. 1 depicts a wireless network containing an intrusion detectionsystem (IDS) particularly focused on wireless events, according to thepresent invention. Such a wireless intrusion detection system (WIDsystem or WIDS) monitors a specific geographic area to discover bothauthorized and unauthorized access points and authorized andunauthorized client machines that may be trying to connect to thewireless network. These access points and client machines are,collectively, wireless access devices. In one embodiment, the WID systemhas two functional parts: one or more WIDS nodes (or simply “nodes”)that collect data from access points and clients; and one or more WIDScollectors (or simply “collectors”) that collect the raw data from theWIDS nodes using an out-of-band means. The raw data (e.g., intrusion andstatus information) from the WIDS nodes can be stored in a database foraccess by a local web based management console, or sent to any SimpleNetwork Management Protocol (SNMP) client software by the WIDScollector. Other features of a WID system are discussed in a relatedpending, commonly owned application filed May 17, 2002, entitled “Methodand System for Wireless Intrusion Detection,” U.S. application Ser. No.10/147,308 (Attorney Docket NETS-001/00US), the disclosure of which ishereby incorporated by reference.

In general, the number of WIDS nodes required for a WID system is basedon the size of the area to be protected. The WIDS nodes, however,utilize passive detection so they are not easy to detect by an attacker.In addition, the out-of-band communications between the WIDS nodes andWIDS collector are encrypted, providing even further security.

The WID system in FIG. 1 is made up of WIDS collector 110 and a numberof WIDS nodes 120. As a result of the initialization process that willbe described in more detail below, at least one WIDS node 120 isdesignated as a primary WIDS node 125. Each WIDS node 120 that is not aprimary WIDS node is also known as a secondary WIDS node. Primary WIDSnode 125 communicates with other WIDS nodes 120 and WIDS collector 110using a proprietary dynamic wireless protocol. Each WIDS node 120 alongwith primary WIDS node 125 provides wireless intrusion detection over aparticular geographic area within the overall area 100 to be protected.

Authorized access to the wireless network can occur through variousaccess points 130 that allow wireless access devices to access localarea network (LAN) 170, to which access points 130 are attached. Anauthorized wireless client 165 can access the LAN via the wirelessnetwork through an access point 130 and have the same (or similar) usageof the wired network as an authorized client 167 connected to the LANvia a wired connection.

In addition to access points 130 within LAN 170 that have beenauthorized, an additional rogue access point 140 is shown in FIG. 1 thatcould be used for unauthorized access to the network. Additionally,unauthorized access to the LAN through the wireless portion of thenetwork can occur via war driver 150 or rogue client 160 attempting toaccess via an allowed access point 130.

Rogue access point 140 could be an access point enabled by an authorizedemployee or could be an access point that an attacker has somehowinstalled on LAN 170. War driver 150 includes any well known approachfor accessing wireless networks using “drive-by” techniques in which aperson utilizes a wireless-enabled portable device to access unprotectedwireless networks.

LAN 170 in FIG. 1 is a typical local area network, consisting ofinterconnected network segments 172, 174, 176, and 178. As will becomeapparent, the WID system can provide various types of information aboutattempts to access a wireless network. Such information is communicatedto a user via management console 180 that can, for example, be runningin the user's facility. Management console 180 can provide informationon:

-   -   tracking of authorized and unauthorized access points and        clients;    -   location of authorized and unauthorized wireless access devices;    -   changes to configurations of known and authorized access points;    -   health of WIDS nodes;    -   denial of service (DoS) attempts;    -   tracking of multiple connection attempts by unauthorized        wireless access devices over a period of time;    -   tracking how long an unauthorized wireless access device has        attempted to access the network; and    -   attempts to spoof an authorized access point.

In an embodiment, management console 180 can be implemented over aSecure Sockets Layer (SSL) encrypted web interface, as would beapparent. In addition, the management console is, in an embodiment, SNMPcompatible and so can be used with features found in typical remote SNMPmanagement software (including, for example, the OpenView software suitefrom Hewlett Packard) to notify the user via electronic mail (e-mail) orany other notification mechanisms. Additionally, the management consolecan provide multiple user authorization levels, allowing differentpeople within an organization to have differing levels of access to theinformation in the WID system.

WIDS nodes 120 are loaded with software capable of inferring wirelessnetwork electromagnetic characteristics unique to the particular networkconfiguration as deployed. In one embodiment, the location of each WIDSnode is, at time of deployment, calibrated using known information fromthe wireless network of interest. Calibration input types can include,for example, measured distance to a known stationary calibration point,signal and noise levels, and other variables as appropriate. Location ofan intrusion of the wireless network can be determined more accuratelyby applying a neural network or genetic algorithm to historical signalstrength statistics collected from continuous input, as would beapparent. In addition, location of a wireless access device can beachieved by triangulating data on the wireless access device usinginformation from multiple WIDS nodes.

WIDS collector 110 contains software that determines the proximity andapproximate location of an event source to the WIDS node by implementingknown algorithms to spatial coordinates and wireless signalcharacteristics. In one embodiment, geographic coordinates collected atlinear intersections of a structure or coverage area are applied to arectangular grid overlaid on a representation of the blueprint orspatial area. Using basic cartographic methods, geographic coordinatescorresponding to WIDS nodes deployed on a campus, structure or othercoverage area may be obtained. In one embodiment, triangulation methodsmay be used to calculate approximate position given signal informationand coordinates.

In FIG. 2, a WIDS collector 110 according to one embodiment of thepresent invention includes a host processor 218, flash based storagemedia 203, and a typical mechanical hard drive 201. Hard drive 201could, for example, be a SCSI or IDE hard drive accessible over hostport 202. Host processor 218 is also supported by memory 204 connectedto a controller for the host 205, and a man-machine interface (MMI)(shown in this example as keyboard and monitor 206). Additional humaninterface is provided by RS232 compliant universal asynchronous receivertransmitter (UART) 215 connected to serial terminal connector 212. Powersupply 209 provides power for the main subsystem and support components.

The communications link between WIDS collector 110 and WIDS nodes 120uses a proprietary out-of-band radio 208 connected to a standard RS232UART port 213 of host processor 218. In this particular implementation,out-of-band radio 208 contains the necessary level shift required for10-12V signaling and is protocol and RF interoperable with out-of-bandtransistor-transistor logic (TTL) radio 327 of WIDS node 120 (as shownin FIG. 3).

In addition, communication means 230 is provided to allow WIDS collector110 to communicate with WIDS nodes 120 using other radio protocols.These protocols could, for example, include new technologies such asultra wideband (UWB), or other narrow band and spread spectrum devices.Connection of other radio devices using other radio protocols overcommunication means 230 in this embodiment is via standard universalserial bus (USB) ports 207A and USB host connector 207, though other I/Osuch as the host expansion bus 240 could be used.

Connection of WIDS collector 110 to a wide area network (WAN) ormonitoring facility is accomplished via an expansion bus shown here ashost expansion bus 240 using either the Media Access Controller (MAC) orPhysical Interface (PHY) of the main NIC interface 217 or the ancillaryNIC subsystem 216, as would be apparent. Additional connectivity to theWAN is provided by a modem 211 or a cellular connection 210 via anotherUART 214. Other WAN connections could also be used as they becomeavailable and interfaced using any other expansion interfaces.

For protection of the data transmission between WIDS collector 110 andWIDS nodes 120 a cryptographic accelerator 219, such as those offered byBroadcom and HiFn, is provided, shown here using host expansion bus 240to communicate with host processor 218 over host PCI port 220.

As shown in FIG. 3, WIDS node 120 consists of a low power embeddedprocessor 303. Many processor architectures are available as embeddeddevices with ARM and x86-based devices being readily available. In anembodiment, an x86-based system-on-chip (SOC) device such as NationalSemiconductor Geode SC2220 was selected as embedded processor 303. Sincethis is an embedded device, a flash disk 302 is connected to host IDEport 329, which can, as would be apparent, allow for firmware updates ofWIDS node 120. Other flash-based storages such as disk on chip (DOC) orcompact flash could also be used. Memory 301 interfaces to embeddedprocessor 303 via host memory interface 306, as would be apparent. Testheaders 307 are provided on the CRT and keyboard ports as well as theconsole UART 328. In this instance, a camera input is provided byembedded processor 303 for optional camera 308 connections. This can beused to provide such things as visual verification and video capture forlater prosecutions of suspected intruders, along with any other purposesthat would be served by having video information.

Power for WIDS node 120 is provided by the power/control subsystem 319that can be “shore powered” with alternating current (AC) using atypical wall transformer 323. Battery operation or backup can bemaintained via a rechargeable cell 322 and charging system 321. Fulltime battery operation can be selected using jumper 320. Charge voltageand current can be from wall transformer 323, or via solar panels 324and/or small windmill 325 to eliminate wiring requirements in outdoorlocations.

During battery operation, power management can be achieved using a smallmicrocontroller 330, such as the Microchip 16C74. This particular deviceprovides a very low power standby mode using 32 kHz watch crystal 315for sleep mode and high speed crystal 314 for normal, full poweroperation. Microcontroller 330 controls the main power supply 319 viarelay control 319A. During sleep mode, microcontroller 330 receivespower via low quiescent charge pump 317 directly from rechargeable cell322. Control of power/control unit 319 is also available via the SOCGeneral Purpose I/O (GPIO) port 335.

Microcontroller 330 also provides engineering data for remote WIDS node120 using the eight on-board analog-to-digital (A/D) converters. Forexample, case temperature is provided to the microcontroller 330 A/Dconverters using a thermistor 313. Case tamper information is providedvia the tamper mechanism 316, also connected to the microcontroller 330A/D's since it is always on, even during sleep mode. This data, inaddition to other diagnostic info such as supply voltages and batterycharge, are monitored and sent to embedded processor 303, in thisexample, via the UART 313. This information is relayed to the WIDScollector 110 to monitor the health (or status) of the remote WIDS node120.

WIDS node 120 connectivity to WID controller 110 is provided using theaforementioned proprietary out-of-band radio protocol. ProprietaryTTL-level out-of-band radio 327 connects to embedded processor 303 viaUART 305. Other protocol radios 310 can be used for both the out-of-bandfunction or as additional monitoring interfaces.

Another method for connection of the typical wireless LAN networkinterface card (NIC) is provided by a multitude of possible interfaces.Multiple USB WLAN devices 309 are connected using USB port 312A onembedded processor 303 via connector 312. As higher speed WLAN devicesbecome available, connection to the host embedded processor 303expansion bus, in this case the host PCI 304, affords higher data rateWLAN devices 326 shown here using the MINIPCI form factor. Additionally,provision is made for connection of Card Bus/PCMCIA style of WLANdevices using Card Bus bridge 341 and Card Bus/PCMCIA connector 342.

WIDS node 120 encryption processing is shown as being provided by adedicated cryptographic accelerator 340 connected to the host PCI bus304 of embedded processor 303. This off loads the processing ofencrypted data from the host embedded processor 303.

As described above with reference to the WID system in FIG. 1, the WIDsystem consists of a central administrative and analysis component(i.e., WIDS collector 110) and multiple wireless data acquisitioncomponents (i.e., WIDS nodes 120). WIDS collector 110 to WIDS node 120communications and WIDS node 120 to WIDS collector 110 communicationsoccur across an out-of-band packet radio network. In one embodiment, a900 MHz radio network is used for the out-of-band communications. Toaccommodate potential radio interference and increase scalability, anyWIDS node 120 may act as the primary data communications proxy (i.e.,primary WIDS node) for other WIDS nodes (the other WIDS nodes beingcalled secondary WIDS nodes or nodes).

A WIDS trap service describes a simple TCP service present on all WIDSnodes 120 (including primary WIDS node 125) and WIDS collector 110. Thisservice functions to forward data to the appropriate softwaresubsystems. This service provides to the WID system a method ofencrypted data transport between WIDS nodes 120 and primary WIDS nodes125, and primary WIDS nodes 125 and WIDS collector 110. This service isresponsible for the communication of all WIDS packet types, in oneembodiment to include configuration, diagnostic, and health. The WIDStrap service also transfers unencrypted packet payloads to parsercomponent for further processing or analysis, as appropriate.

A WIDS parser component describes a simple utility present on all WIDSnodes 120 (including primary WIDS node 125) and WIDS collector 110 whichcommunicates received data to appropriate operating system orapplication components. In one embodiment, the WIDS node parserimplementation receives unencrypted packets of type configuration fromthe WIDS trap service. Packets of type “configuration” contain specificinstructions to update WIDS node system files, software, devicefirmware, and other critical components as appropriate. The WIDScollector parser implementation receives unencrypted packets of type“diagnostic” and “event” from the WIDS collector trap service. In oneembodiment, a WIDS collector parser applies basic formatting to the dataand forwards the resulting information to a MySQL database service orSNMP-capable enterprise management software.

In an embodiment, a WIDS Communication Protocol (WCP) defines acommunications method between WIDS nodes 120 and WIDS collector 110. Theprimary network service associated with these communications is referredto as the “Trap Service”, as described above. WCP is anapplication-layer transmission control protocol (TCP) that providescommunications between WIDS node and WIDS collector Trap Service daemonsvia Generalized Radio Internet Protocol (GENRIP) packets that have beenencrypted with Advanced Encryption Standard (AES). A pre-loaded“customer key” is used to encrypt configuration, initialization, and keyexchange packets. A unique “session key” generated by WID collector 110is used to encrypt event and health packets for each instance of WIDnode 120. In an embodiment, both the customer key and session key are256-bit keys, but other key lengths can be used for either key.

The WCP defines at least four different types of packets, each of whichis described in further detail below. In general, a generic packet typecontains information that defines the packet as a WCP packet andprovides common information for all packet types; a diagnostic packettype contains data regarding the status of the WIDS nodes; an eventpacket type contains information regarding events that have occurred inthe wireless network; and a configuration packet type containsinformation regarding the system configuration, including softwareversions, applications, and operating system information.

TABLE 1 WCP generic packet IP | TCP | HEADER | TIMESTAMP | TYPE | PACKET

In an embodiment, the fields in the generic packet type have thestructure shown in Table 1. The generic packet is a component of allother WCP packets, and uniquely identifies them as being WCP packets.The generic packet is used between the WIDS collector and primary WIDSnodes, and between the primary and secondary WIDS nodes (i.e.,throughout the WID system). The main function of the generic packet isto identify the packet as a WCP packet. The HEADER field has a length of16 bits and contains the static value of 0x4E53, providing the WCPpacket identification.

The TIMESTAMP field in the generic packet ensures that each packet has atimestamp associated with it. This can be used for a number of purposes,including, for example, to preserve the time of particular events thatwill allow resolution of issues related to latency caused by networkcongestion. In an embodiment, the value placed in the timestamp field isprovided by a POSIX 0.1 time( ) system call. The type field in thegeneric packet, in one embodiment of the WCP, is an 8-bit value thatindicates to the trap service how to process the packet or specifies towhich subsystem that packet belongs.

TABLE 2 WCP diagnostic packet WCP | Tcpu | Tsys | V0 | V1 | V2 | V3 |BATT | CHECKSUM | RESERVED

The diagnostic packet type (with a TYPE value of 0x01 in an embodiment)shown in Table 2 is sent from the secondary WIDS nodes to the primaryWIDS nodes, and the primary WIDS nodes pass it on to the WIDS collector,both communications using 256-bit AES encryption and a session key thatwill be described in further detail below. The WCP field in the WCPdiagnostic packet contains a WCP generic packet, as described above, toprovide the basic information to the recipient of the packet.

The diagnostic packet communicates status data from the secondary WIDSnodes to the primary WIDS nodes, including, for example, temperature,battery life, and voltages. Once the WIDS collector receives thisdiagnostic data on all WIDS nodes from the primary WIDS nodes, the WIDScollector can determine the system status. Once the system status hasbeen evaluated by the WIDS collector, it can cause various courses ofaction to be taken that are appropriate in light of the received data.For example, if the WIDS collector determines that the battery life of aparticular WIDS node is very short, the WIDS collector can send out amessage to a system operator notifying the person that the batteriesneed to be changed.

As shown in Table 2, there are a number of fields in the diagnosticpacket in one embodiment. The Tcpu, Tsys, V0, V1, V2, V3, and BATTfields are each 8-bit fields that provide information related to thehealth of the particular WIDS node. The Tcpu value indicates thetemperature of the CPU. The Tsys value indicates the ambient temperatureof the WIDS node inside the case. The V0, V1, V2, and V3 values eachindicate the level of a different voltage source. The V0 value indicatesthe voltage level on the 2.5VDC supply, the V1 value indicates thevoltage level on the 3.3VDC supply, the V2 value indicates the voltagelevel on the 5.0VDC supply, and the V3 value indicates the voltage levelon the 12.0VDC supply. The BATT field provides an estimate of thepercentage of battery life left.

The checksum field in the diagnostic packet can be used to providehost-based tamper detection and session hijacking detection. In anembodiment, the checksum can be a cryptographic hash value generatedfrom unique system variables, thereby providing data integrity. Forexample, a hash could be computed from combining the IP address of theradio, the unique serial number of the Geode processor, and a mediaaccess control (MAC) address unique to the WIDS node, as would beapparent.

Finally, the RESERVED field in the diagnostic packet can be used formonitoring future events or functionality. For example, individual bitflags could be defined for indicating particular types of tampering.

TABLE 3 WCP event packet WCP | CLASS | SRC | DST | CHANNEL | SSID | WEP| RSS | RESERVED

The WCP event packet (with a TYPE value of 0x02 in an embodiment)depicted in Table 3 communicates events that occur in the wirelessnetwork from secondary WIDS nodes 120 to primary WIDS node 125, and thenback to WIDS collector 110, using 256-bit AES encryption and a sessionkey that will be described in further detail below. The WCP field in theWCP diagnostic packet contains a WCP generic packet, as described above,to provide the basic information to the recipient of the packet.

The CLASS field in the event packet is a 6-bit field identifying theclass and subclass of packet received by the WID node. In oneembodiment, this field describes the packet as one of 802.11b packetclassifications Management, Control and Data. Associated sub-classes ofpacket type Management in this embodiment may indicate 802.11blink-layer mechanisms such as Association, Authentication, Probe, Beaconand others, as are apparent.

The SRC field in the event packet is, in one embodiment, a 48-bit fieldthat contains the MAC address of wireless access devices detected duringdata collection performed by WIDS nodes 120 in the WID system. In an802.11 wireless network, for example, the value in the MAC field couldcorrespond to the MAC addresses of detected clients or access points.Upon receipt of the event packet, WIDS collector 120 can determine thesignificance of the received MAC addresses.

The DST field in the WCP event packet is a 48-bit field containing theMAC address of wireless access devices for which the detected event isdestined. In an embodiment deployed for 802.11 technologies, this valueapplies to the wireless interface of an access point, broadcast address(ff:ff:ff:ff:ff:ff) or wireless interface of a client supporting ad-hocmode, as would be apparent.

The SSID field in the WCP event packet is a 256-bit service setidentifier of access points. This field allows a determination ofspecific information about a particular wireless access device, such asthe name of an access point. This can be used to help identify whetherthe wireless access device is a known wireless access device or anunknown wireless access device. Further information on the SSID can befound in Section 7.3.2.1 of IEEE std. 802.11b.

The CHANNEL field in the WCP event packet is an 8-bit value thatindicates the channel on which the event was detected. For example, inthe 802.11b protocol, channels 1 through 11 are used in the UnitedStates, channels 1 through 13 are used in Europe, and channel 14 is usedin Japan. Thus, the CHANNEL field in a WID system for 802.11 wouldcontain the channel number being used by the access point or client inthe 802.11 wireless network. To maintain applicability of this field tonew and emerging wireless network technologies, possible data valuesexceed those described by an 802.11b network embodiment.

The WEP field in the WCP event packet is a 4-bit value that indicateswhether Wired Equivalent Privacy (WEP) has been enabled. WEP is asecurity protocol that utilizes encryption to protect 802.11transmissions, as would be apparent. In one embodiment, the first bitindicates whether WEP is enabled on the detected wireless access devicewhile the remaining bits are reserved. This field could also be used, inanother embodiment, to indicate the version of the 802.11 protocol beingimplemented in the wireless network of interest (e.g., 802.11b, 802.11a,or 802.11g).

The RSS field in the WCP event packet is an 8-bit value that indicatesthe Received Signal Strength (RSS) of the particular event. In oneembodiment the signal level is collected by the firmware of the 802.11interface and passed to the application through a software driverinterface. The RSS field would then indicate the signal strength in dBm.

The RESERVED field in the WCP event packet is a 64-bit field that isreserved for future development and expansion. Potential uses include,for example, the mode of operation of the remote 802.11 wireless accessdevice, identifying patterns of hostile traffic or othervulnerabilities, and any other information related to the state ofdetected events.

TABLE 4 WCP configuration packet WCP | CMD | DATA

The WCP configuration packet (with a TYPE value of 0x03 in anembodiment) depicted in Table 4 updates system configuration informationin primary WIDS node 125 and secondary WIDS nodes 120, using 256-bit AESencryption and a preloaded customer key. The preloaded customer key is aunique key for each customer that is loaded into WID collector 110 andWID nodes 120. It is used to encrypt all WCP configuration packets(except those that contain the “enter configuration mode” command). Theconfiguration packets can contain updated system configurationinformation, drivers, firmware, kernels, and applications. The WCP fieldin the WCP diagnostic packet contains a WCP generic packet, as describedabove, to provide the basic information to the recipient of the packet.

The CMD field in the WCP configuration packet is a 4-bit value thatcontains commands to be executed by the receiving unit (i.e., the WIDSnodes). In an embodiment, the commands with the values 0x0 and 0xF arereserved values.

Numerous commands can be implemented in WCP for performing a number ofdifferent functions within the WID nodes. The current command setincludes the following:

AES KEY EXCHANGE

-   -   Value for CMD field: 0x01    -   Data:        -   256-bit session key for use in the AES algorithm to encrypt            communications between the secondary WIDS nodes and primary            WIDS node, and between the primary WIDS node and the WIDS            collector.        -   Time-to-live (TTL) value, which, in an embodiment, is a            standard UNIX timestamp. The use of an exact timestamp            rather than a traditional time to live value (i.e., a value            the merely indicates when use of a particular key is to            cease) accounts for possible drift between different clocks            in WIDS collector 110 and WIDS nodes 120. For example, WID            nodes may experience up to a 1/20^(th) second clock drift            per 15 minute polling period.

SYSTEM CONFIGURATION

-   -   Value for CMD field: 0x03    -   Data: Packet payload may include command scripts and binary data        to update system configuration, drivers, firmware, and other        system software.

If the session between primary WIDS node 125 to WIDS collector 110 isdisrupted, the WIDS collector broadcasts a Network Reset and indicateserror condition on Console. If WIDS collector 110 issues a SystemUpdate, primary WIDS node 125 issues Network Reset broadcast to allNodes. WIDS collector 110 issues a packet of type configuration withcommand System Update to primary WIDS node 125 to initiate replacementor modification of system configuration data, binaries, device firmware,or other WIDS components as is apparent. In one embodiment, primary WIDSnode 125 issues a Key Reset command in a packet of type configurationbroadcast to all WIDS nodes. Those WIDS nodes which receive a Key Resetcomplete transfer of pending diagnostic or event data, and revert to asystem state awaiting packets of type configuration encrypted with aunique pre-loaded customer key. Primary WIDS nodes receive system updateinformation from WIDS collector 110 and transmit it to the WIDS nodes120 for integrity verification and subsequent implementation of systemupdates.

The protocol above can be used by WID system to exchange informationthat can be used to locate a wireless access device within the wirelessnetwork. In particular, through the use of some simplifying assumptionsand known properties of 802.11 wireless access devices, a WID system canbe used to locate a wireless access device using omni-directionalantennas and without dependencies on system clocks.

A WID system using this approach requires the approximate positions ofthe listening stations to be known. Additionally, each WIDS node can betuned using the location of a known target wireless access device. Thistuning allows the system to take into account any variations in theimmediate environment of the WIDS node.

FIG. 4 depicts a first approximation by a WIDS node 410 of the locationof a wireless access device within a wireless network. In order todetermine the location of wireless access devices, WIDS node 410 firstdetermines the channel on which each target wireless access device isoperating.

The determination of the channel on which a wireless access device isoperating is affected by the concept of “channel bleed”, which is the802.11 defined method of transmitting a radio signal on a channeladjacent to the intended channel to allow wireless access devices tobetter find existing wireless networks. Channel bleed results in theability to detect 802.11 communications, at a lower received signalstrength (RSS), on channels other than the channel on which a wirelessaccess device is transmitting at full strength. The inclusion of channelbleed signals in the determination of the location of a target wirelessaccess device would erroneously lead to distance calculations that willmake the wireless access device appear further away than it actually is.Consequently, it is necessary to determine the channel on which thetarget wireless access device is transmitting at full strength.

Channel determination can be affected by certain characteristics of theparticular mode of wireless network operation. For example, in an 802.11network operating in infrastructure mode, access points are responsiblefor keeping all members of the network transmitting and receivingtransmissions on the same channel. According to the 802.11 protocol, theaccess point either remains on the same channel at all times or has apredictable channel hopping pattern that all members of the networkfollow. In an ad-hoc network, however, a list of member wireless accessdevices is not maintained by any single member of the network.Therefore, there is no single device which can provide the currentchannel of all of the other wireless access devices in the network. Inan embodiment of the present invention, a determination can be made ofthe channel on which a wireless access device is communicating withoutthe need to contact an access point or become a member of the ad-hocnetwork. The only data required is the RSS of transmissions from 802.11wireless access devices across the various channels of the 802.11spectrum.

To determine the channel on which a wireless access device iscommunicating according to the present invention, each WIDS node in thewireless network observes certain activity on each channel in thewireless network for a limited period of time. The data gathered canthen be used to calculate the channel on which each of the observedwireless access devices is communicating. In one embodiment of thepresent invention, each WIDS node spends two seconds observing an 802.11channel. The RSS of all transmissions received on that channel isstored. The WIDS node moves onto the next channel and observes thatchannel for two seconds. After observing and storing the activity on all802.11 channels, a table containing the channel and signal strength canbe formed using wireless access devices as the key. In one embodiment,the table is stored at the WIDS node. To form the table, the WIDS nodeutilizes the observed data for each wireless access device, whichcontains the observed channel and signal strength. From this set ofdata, an average RSS is calculated per wireless access device perobserved channel. For each wireless access device, the channel on whichthe wireless access device is transmitting is determined from thechannel with the largest average RSS.

In the case of 802.11 networks that maintain the same channel over thelifetime of the network, the table resulting from the above steps can bemaintained over time to further validate the calculated channel. In anembodiment, the weight given to data gained from previous passes throughthe 802.11 spectrum is reduced with each subsequent pass. In the case ofnetworks that utilize channel hopping, however, the data from previouspasses through the 802.11 channels must be discarded before beginning anew pass. Further, the type of network in use can easily be obtainedthrough trivial observation of the 802.11 packets transmitted by thewireless access devices.

As described above, an average RSS for transmissions on the wirelessaccess device's channel is stored in order to generate more accuratelocation information for a target wireless access device. Since 802.11wireless access devices tend to be attached to mobile systems, in oneembodiment a weighted average RSS is maintained to account for themovement of the target wireless access device. As time passes, a singleRSS data point carries less and less weight in the average utilizingthis approach. This results in an average RSS that provides informationthat will allow both an accurate location of a target wireless accessdevice at a given time as well as the ability to track a wireless accessdevice that is moving.

Based on the received signal strength and the sensitivity of WIDS node410, a distance 420 from WIDS node 410 can be determined. In particular,distance is a function of the RSS of the transmission. The followingformula is used to determine distance 420 from WIDS node 410 to a targetwireless access device:

RSS(dBm)=C−35 log₁₀ D

where C is a tuning constant and D is the distance, as specified in “APractical Approach to Identifying and Tracking Unauthorized 802.11 Cardsand Access Points,” by Interlink Networks, Inc.

Since WIDS node 410 does not have the capability to determinedirectional information from a wireless access device, distance 420 fromWIDS node 410 can be viewed as corresponding to an area around WIDS node410. In one embodiment, distance 420 can be a radius of a circle 430.Thus, from distance 420, circle 430 can be determined. Circle 430represents all possible points where a target wireless access devicewith a particular RSS could be located. In one embodiment, predeterminedmargin of error 440 is added and subtracted from distance 420 to accountfor possible error in the determination of distance 420. This producesapproximation band 450 which represents the overall approximate areawithin which a target wireless access device at distance 420 could belocated.

In one embodiment, WIDS node 410 is known to have a constant (C) of80.0. By way of example only, if WIDS node 410 determines a receivedsignal strength of 24 dBm for a particular detected wireless accessdevice, WIDS node 410 can determine that the distance to such a wirelessaccess device is 132.7 feet. With margin of error 440 of 10 feet,approximation band 450 with a width of 20 feet will be centered on WIDSnode 410.

In addition to determining the channel on which a wireless access deviceis communicating, the approach described above can also be used todetect ad hoc networks. In one embodiment, each WIDS node in thewireless network is already observing data in the wireless network, inorder to calculate the signal strengths and, ultimately, the distancesfor each wireless access device detected. That same data can be parsedand examined by the node. In particular, the node can examine the BasicService Set Identifier (BSSID) of the observed packets. In aninfrastructure network, the BSSID of a particular device is set to theMAC address of that device. In contrast, the BSSID in an ad hoc networkwill consist of a number of random bits generated by the first member tojoin the ad hoc network. In one embodiment, the BSSID in an ad hocnetwork can be 46 bits. By examining the BSSID bits, the WIDS node candetermine if the observed packets are a part of an infrastructure or adhoc network.

Since a WIDS node can only determine received signal strength, but notdetermine direction, multiple WIDS nodes can be used to betterapproximate the actual position of a wireless access device. FIG. 5shows WIDS node 504, WIDS node 506, and WIDS node 508 within a wirelessnetwork 500. In an exemplary embodiment, WIDS node 504 determinesdistance 524 for a particular wireless access device. Similarly, WIDSnode 506 determines distance 526 for a particular wireless access deviceand WIDS node 508 determines distance 528 for a particular wirelessaccess device. Accordingly, approximation bands 514, 516, and 518 can becalculated for WIDS nodes 504, 506, and 508 respectively. When awireless access device falls within the range of two or more WIDS nodes,approximation bands 514, 516, and 518 can overlap as shown by the shadedareas in FIG. 5. Each intersection of approximation bands around two ormore WIDS nodes, which, in one embodiment are calculated at the WIDScollector, represent a possible location of the wireless access devicebeing detected. The more approximation bands that overlap atapproximately a single point, the higher the probability that that pointis the actual location of the wireless access device.

In particular, overlap area 550 shows the intersection of approximationband 514 around WIDS node 504 and approximation band 518 around WIDSnode 508. Likewise, overlap area 560 shows the intersection ofapproximation band 516 around WIDS node 506 and approximation band 518around WIDS node 508. Overlap area 570 represents the intersection ofall three approximation bands. Since this area has approximation bandsfrom three WIDS nodes overlapping, it represents the area where thehighest probability exists that a wireless access device is locatedwithin that area.

The approach described above, in addition to using only omnidirectionalantennas, does not require highly precise system clocks for the systemcomponents (i.e., the system clocks can be synchronized to a muchcoarser resolution than prior approaches). The approach also requiresfewer listening stations to cover a given area than would be needed fora typical IDS solution. Additionally, the location of a wireless accessdevice can be determined regardless of the device manufacturer orantenna the wireless access device is using. Also, the use ofomni-directional antennas allows any wireless access device within therange of the WIDS node to be tracked.

The approach to locating wireless access devices using a WID system asshown in FIG. 5 also provides the ability to track wireless accessdevices that are moving. While the direction and speed of a movingtarget wireless access device has a tendency to skew the results of atypical IDS solution, in the above approach the arrival time of a signalis not a factor in determining location. Thus, moving wireless accessdevices can be tracked with the same accuracy as a stationary target.

The above described technique can also be used to detect MAC spoofing,based on the location information for a particular wireless accessdevice. Although the MAC address of a wireless access device representsan identifier that should be unique across all network devices, most802.11 network wireless access device manufacturers actually allow usersto change the MAC address of the wireless access device. This ability tochange the MAC address of a wireless access device presents a challengewhen an intrusion detection system relies on the uniqueness of the MACaddress to track the wireless access device. In addition, numerousattacks on wireless networks begin with a modification to the MACaddress of the attacking wireless access device. The ability to identifymodified MAC addresses becomes critical to the effectiveness of anywireless IDS system.

To detect modified MAC addresses, the location of a transmitting 802.11wireless access device can first be determined as described above. Thislocation can then be associated with the observed wireless accessdevice. When a new observation is made of that wireless access device,the new location can be compared with the old location. If the locationhas not changed or varies within a reasonable range (given the timedifference between observations), it can be assumed that the MAC addressof the wireless access device has not been replicated. Should the sameMAC address be observed in two or more locations in a short period oftime, however, it can be assumed that one or more wireless accessdevices are using the same MAC address. In particular, if the wirelessaccess device is defined to have a static location, the observedlocation and the static location are compared. If the difference isoutside of tolerances, an alert is raised. Similarly, if the wirelessaccess device is defined to be mobile, its observed location is comparedto its last observed location. Given the time delta betweenobservations, a reasonable tolerance for the change in location can becalculated. If the delta in observed locations exceeds this tolerance,an alert is raised. This use of location for identifying MAC addressspoofing eliminates the need for costly spectrum analysis equipment ofother potential approaches and leverages the existing properties of the802.11 wireless access devices.

In addition to detecting spoofing via changes in the location of awireless access device, other techniques can be used in a wirelessnetwork to detect spoofing and other anomalies. One approach would be toobserve and report on every 802.11 packet. This, however, would bedifficult to implement because of cost and processing constraints.Instead, a distributed approach can be used to track data that can beused to detect various anomalies. In one embodiment of the presentinvention, a state table is constructed that tracks the current activityof all observed 802.11 wireless access devices and only reports changesin the state of the wireless access device. This enables the WIDS nodeto sample all 802.11 channels in a short period of time, store only thecurrent state of the wireless access device, and report only on changesin that state.

While other IDS solutions observe traffic with the goal of identifyingintrusions, the source of the intrusion, and the target of theintrusion, a state based approach to wireless intrusion detectionfocuses on the presence of an intrusion, the location of the source, andthe identification of the target. Based on the state changes of theintruding wireless access device and the target wireless access device,the intrusion technique can be determined.

Observing an 802.11 network is equivalent to monitoring a wired networkin the sense that all packets seen are at the data-link layer (layer 2)of the well known Open System Interconnect (OSI) model. In 802.11 MACframes, however, the class and type of packet are included. There arethree classes of 802.11 MAC frames: management, data, and control. Foreach of these MAC frames, the direction and type of data can bedetermined by parsing various fields within the MAC frames. This canpermit an observer to determine the existence of an intruder and theactivity of that intruder without reconstructing higher layer sessionsby parsing and storing the data portion of the MAC frame.

In general, 802.11 wireless access devices move through the variousstates of a session in a predictable manner, as described below withrespect to FIG. 6 and FIG. 7. This facilitates the tracking of thecurrent state and possible next states for a particular wireless accessdevice. This information can be obtained quickly from observing 802.11MAC frames, and the storage of this information is minimal. Reportingonly changes in wireless access device state greatly reduces the amountof traffic between a WIDS node and a WIDS collector when compared withreporting performed with the observation of each packet.

In an embodiment, tracking the states of one or more wireless accessdevices can consist of the following process. First, a state transitiontable is created that includes a wireless access device, its state, andthe devices with which it is communicating.

When a wireless access device that does not have an entry in the statetransition table is observed as either the transmitter or receiver of an802.11 packet, an entry in the state transition table is created and anevent is sent to the WIDS collector. When a wireless access device thathas an entry in the state transition table is observed at a later time,the type of the observed packet as well as the participating device iscompared to the contents of the state transition table entry. If eitherpiece of data is different from that of the state transition tableentry, the state transition table entry is updated and an eventnotification is sent to the WIDS collector. The events received by theWIDS collector can then be used to check for security policy violations,new intruders, and anomalous wireless access device behaviors. Inparticular, the WIDS collector can be configured with one or more policyelements that define the types of activities that are permitted orprohibited for a particular network. In the event that a policy elementis violated, a user can be signaled by sending an alert to that user.The user could then evaluate the alert and respond accordingly. Forexample, a policy element could consist of an indicator that thewireless access device is a fixed wireless access device, a movablewireless access device, a moving wireless access device, an unknownwireless access device, or a spoofed wireless access device. Althoughthese are just a few examples, there are many other policy elements thatcould be defined for a given network.

FIG. 6 is a state transition chart illustrating the valid state changesthrough which a wireless access device may progress. Specifically, awireless access device in infrastructure mode (i.e., an infrastructureclient) would, in one embodiment, start out in disconnected state 697.Upon sending a probe request and waiting for a probe response,infrastructure client would progress to state 1, infrastructure clientprobing 601. After receiving the response, the infrastructure clientwould issue an authentication request and then transition to state 2,infrastructure client authenticating 602.

While in state 2, infrastructure client authenticating 602, theinfrastructure client would receive an authentication response from theaccess point, then issue an association request. The infrastructureclient would then transition to state 3, infrastructure clientassociating 603. The client would remain in state 3, infrastructureclient associating 603, until it receives an association response fromthe access point. At that point, it would be free to send or receive adata frame from the access point. Upon receipt of such a frame, theinfrastructure client would transition to state 5, infrastructure clienttransmitting data 605. The infrastructure client would remain in state5, infrastructure client transmitting data 605, until it either (a)issues a disassociation request, (b) powers down, or (c) becomesdisassociated due to some other reason. In the latter case, where theinfrastructure client has become disassociated and has entered state 4,infrastructure client reassociating 604, the infrastructure client wouldtransition back to state 5, infrastructure client transmitting data 605,upon issuing a reassociation request and receiving an associationresponse.

In the case where the infrastructure client issues a disassociationrequest, it would enter state 6, infrastructure client disassociating606. Once in this state, the infrastructure client would then issue adeauthentication request and enter state 7, infrastructure clientdeauthenticating 607. Once deauthenticated, the infrastructure clientwould then enter disconnected state 697.

FIG. 6 illustrates one further state that could occur. In passivenetwork detection (listen for beacons) state 620, the infrastructureclient passively listens for beacons.

FIG. 7 a state transition chart illustrating additional valid statechanges through which a wireless access device may progress.Specifically, a wireless access device in ad hoc mode (i.e., an ad hocclient) would, in one embodiment, start out in disconnected state 797.Upon sending a probe request and getting a probe response, ad hoc clientwould progress to state 1, ad hoc client probing 701. The ad hoc clientwould then issue an authentication request and, upon receiving anauthentication response from another client in the ad hoc network, wouldtransition to state 8, ad hoc client authenticating 708. The ad hocclient would remain in state 8, ad hoc client authenticating 708, untilone of the other ad hoc clients initiated a data transfer to or from thead hoc client of interest by sending a predetermined 802.11 frame to thead hoc client of interest. Upon receipt of such a frame, the ad hocclient would transition to state 9, ad hoc client transmitting data 709.The ad hoc client would remain in state 9, ad hoc client transmittingdata 709, until it either (a) issues a deauthentication request, or (b)powers down.

FIG. 7 illustrates two additional states could occur. In passive networkdetection (listen for beacons) state 720, the ad hoc client passivelylistens for beacons. In beaconing state 711, the ad hoc client beaconsother ad hoc clients.

FIG. 8 contains an exemplary state transition table 800 that could bemaintained at a WIDS node in an embodiment of the present invention.Such a table could be used for a number of different tasks, includingidentification of illegal state changes for a given wireless accessdevice. As an example, at a step 802, WIDS node X could detect Client Ainitializing with an access point AP001. In this example, step 802starts out with event 1 corresponding to Client A issuing a proberequest, and receiving a probe response back from AP001 in event 2. Thiswill result in Client A being in state 1 (corresponding toinfrastructure client probing 601 in FIG. 6). Step 802 continues withClient A issuing an authentication request in event 3, and receiving anauthentication response from access point AP001 in event 4, resulting inClient A being in State 2. Continuing with the initialization in state3, Client A issues an association request in event 5 and receives anassociation response in event 6. Finally, at the end of step 802, ClientA and access point AP001 begin passing data, with Client A being inState 5.

Continuing with the example, at a step 804, WIDS node X could detectClient B initializing with an access point AP002. Step 804 starts outwith event 9 corresponding to Client B issuing a probe request, andreceiving a probe response back from AP002 in event 10. This will resultin Client B being in state 1. Step 804 continues with Client B issuingan authentication request in event 11, and receiving an authenticationresponse from access point AP002 in event 12, resulting in Client Bbeing in State 2. Continuing with the initialization in state 3, ClientB issues an association request in event 13 and receives an associationresponse in event 14. At the end of step 804, Client B and access pointAP002 begin passing data, with Client B being in State 5.

In a step 806, Client A appears to goes through the same initializationprocess described above with respect to step 802, but now with accesspoint AP003 instead of access point AP001. Next, in a step 808, an eventhas occurred where Client A is now communicating again with Access PointAP001. This could be a possible spoof, where one wireless access deviceis being made to appear as a different wireless access device through,for example, the use of illegitimate credentials. This could occur, forexample, where a wireless access device asserts a device identification(e.g., a MAC address) of a different wireless access device known toexist within the wireless network. The state table analysis, which canoccur at either the WIDS collector or WIDS node, can detect thepotential spoof since Client A appears to have transitioned from State 5while communicating with access point AP003 to State 5 while nowcommunicating again with access point AP001 (without initializing withaccess point AP001 again). This indicates that the initialization by thesupposed Client A with access point AP003 at step 806 was a likelyspoof, since the likely real Client A was still attempting communicationwith access point AP001 in step 808. Once this illegal set oftransitions has been identified, an alert could be raised so that aninvestigation could be conducted.

In a step 810, Client B issues a probe request at event 27 and receivesa probe response from access point AP099. At a step 812, however, ClientB immediately begins transmitting data to access point AP099. This is anillegal state transition for which an alert could also be raised.

FIG. 9 depicts the schema of a back end database in a WID system. Eachschema utilizes an identification (or id) field as its primary key.Furthermore, each schema contains a number of fields that describevarious aspects of the WID system. Such schema could be used to storeinformation on the location of a wireless access device or oncharacteristics of a wireless access device, as determined above. Eachschema is described with respect to the following tables.

TABLE 6 IDS_Events Element Description Id an auto increment number usedas primary key for the event channel primary data from WIDS nodesignal_strength primary data from WIDS node Wep primary data from WIDSnode mac primary data from WIDS node ssid primary data from WIDS nodetimestamp primary data from WIDS node device_id from trap serviceevent_type set by trap service (e.g., 0 for access point, 1 for client)Event_status Will be set to 0 (null) when created by trap service. Asevents process sweep is initiated, it will be set to 1 (processing).After processing is finished, it will be set to 2 (reported).

Table 6 defines the data fields contained in the IDS_Events schema 904shown in FIG. 9, including the channel and signal strength of theparticular WIDS node, along with information on WEP, the MAC address,and the SSID of the WIDS node. IDS_Events also includes a timestamp ofthe event, a device_id value from the trap service, the type of eventthat has occurred, and the event status.

TABLE 7 Device_Health_Events Element Description id an auto incrementnumber as primary key device_id from trap service cpu_temperatureprimary data from WID sys_temperature primary data from WID voltage_0primary data from WID voltage_1 primary data from WID voltage_2 primarydata from WID voltage_3 primary data from WID battery_life primary datafrom WID timestamp primary data from WID

Table 7 defines the data fields contained in the Device_Health_Eventsschema 908 shown in FIG. 9, including a device_id value from the trapservice, values related to the health status of the WIDS node, and atimestamp value. The health status values can include, for example, theCPU temperature, the system temperature, various voltage values, and thebattery life.

TABLE 8 Unknown_AccessPoints Element Description id an auto incrementnumber as primary key mac the mac of unknown Access Point ssid the ssidof unknown Access Point ip the ip address of unknown Access Pointchannel the channel this unknown Access Point went thoughsignal_strength the signal strength of the unknown Access Point that theWID detected wep the encryption bits this unknown Access Point usedtotal_alarm count the total occurrences of a unknown Access Point whichhas the same mac, ssid, ip, channel, wep, device_id response will befilled by users when a proper action has been done active When a newAccess Point is discovered and entered, active==True. The user canchange the active==false if the access point is no longer visible. Oncethe new ids events report this unknown Access Point again, it will beactive==true again. device_id comes from backend process first_seen Thefirst time when this unknown Access Point was detected by WID last_seenThe last time when this unknown Access Point was detected by WIDlast_modified The last time when this unknown Access Point record wasmodified in the table to track the date of any modification of thisunknown AP

Table 8 defines the data fields contained in the Unknown_AccessPointsschema 912 shown in FIG. 9, which are filled by a backend sweep processat the WIDS collector. This process checks the new IDS events and addsnew unknown access points to the database according to the above schema.Information about the unknown access points that is entered into thedatabase can include the MAC address, SSID, IP address, channel, signalstrength, and WEP status. In addition, information about the status ofthe actions related to the unknown access points can be entered into thedatabase, including the total number of times the same access point hasbeen detected, the response taken, and whether the unknown access pointis active. In addition, the database entry for unknown access points cancontain the device ID of the WIDS node, the time it was first and lastseen by a WIDS node, and the last time the particular unknown accesspoint entry in the database was modified.

TABLE 9 Unknown_Clients Element Description id an auto increment numberas primary key mac the mac of unknown Client ssid the ssid of unknownClient ip the ip address of unknown Client channel the channel thisunknown Client went though signal_strength the signal strength of theunknown Client that the WID detected wep the encryption bits thisunknown Client used total_alarm count the total occurrences of a unknownClient which has the same mac, ssid, ip, channel, wep, device_idresponse will be filled by users when a proper action has been doneactive When a new Client is discovered and entered, active==True. Theuser can change the active==false if the Client is no longer visible.Once the new ids events report this unknown Client again, active==trueagain. device_id comes from backend process first_seen The first timewhen this unknown Client was detected by WID last_seen The last timewhen this unknown Client was detected by WID last_modified The last timewhen this unknown Client record was modified in the table to track thedate of any modification of this unknown AP

Table 9 defines the data fields contained in the Unknown_Clients schema924 shown in FIG. 9, which are filled by a backend sweep process at theWIDS collector. This process checks the new IDS events and adds newunknown clients to the database according to the above schema.Information about the unknown clients that is entered into the databasecan include the MAC address, SSID, IP address, channel, signal strength,and WEP status. In addition, information about the status of the actionsrelated to the unknown clients can be entered into the database,including the total number of times the same client has been detected,the response taken, and whether the unknown client is active. Inaddition, the database entry for unknown clients can contain the deviceID of the WIDS node, the time it was first and last seen by a WIDS node,and the last time the particular unknown client entry in the databasewas modified.

TABLE 10 Devices Element Description id An auto increment number asprimary key serial_number the WIDS node's serial number ip the ipaddress of the WIDS node name the descriptive name of the WIDS nodelocation describes the geographic position of the WIDS node geo_areasome description of the area of this WIDS node (Note that the range ofarea will be wider than the location. Some WIDS nodes may stay in thesame area with different location.) coordinates the data of this WIDSnode's coordinates format like (x, y) from GPS. master_mode if this WIDSnode is a primary WIDS node, this field will be 1, otherwise it will be0 create_date the first time when the device registered, it will bestored into this table as the create date last_update the last time whenthe record of the device been modified, it will be recorded as the dateof last update customer_id this field tells which customer this WIDSnode belongs to active used for device management to maintain thecurrent devices as ACTIVE, the historical devices as NOT ACTIVE

Table 10 defines the data fields contained in the Devices schema 920shown in FIG. 9, which contains data elements related to each WIDS node.This can include, for example, the IP address of the WIDS node, alongwith the name, location, geographic area, and coordinates of the WIDSnode. The Devices schema can also include an indication of whether theentry is a primary WIDS node, the creation date (i.e., the date the WIDSnode was put into service), the date of the last update of the WIDSnode, an identification of the customer, and a flag to indicate whetherthe WIDS node is currently active.

TABLE 11 Abnormal_Nodes Element Description id an auto increment numberas primary key device_id the foreign key that points to the Devicestable which this abnormal device belongs cpu_tmp_high the alarm flag toshow the WIDS node's CPU temperature going too high(Boolean variable)sys_tmp_high the alarm flag to show the WIDS node's system temperaturegoing too high(Boolean variable) voltage_alert the alarm flag to showthe WIDS nodes' voltage going to alert level (Boolean variable)battery_low the alarm flag to show the battery's life going to be endlevel sys_alarm this is a foreign key to point to Alarm_Types table,right now there are two types (they are: device down, device'sconfiguration changed). Note, this filed will be filled by other processwhen the alarm WID is still active, this field will be updated once anyone of the alarms is raised, otherwise it will insert a new alarm recordfor this device total_alarm before the status of this record is“CLOSED,” the total_alarm will accumulate the occurrences of the alarmonce no matter what kind of alarm or alert it has first_happen the firsttime this record is created last_seen the last time the event processupdates this record status this is a flag to see if this abnormal devicereport record has been responded to or not, if yes the record will bemarked as “CLOSED” comment the user may add some comment for this recordbefore the record is closed last_modified marks the last time when therecord was updated

Table 11 defines the data fields contained in the Abnormal_Nodes schema916 shown in FIG. 9, which contains data elements related to any WIDSnodes that have indicated any problems. This schema can include, forexample, WIDS nodes that have temperatures that are too high or voltagesthat are too high or too low. The data fields in this schema can includethe device ID, flags indicating the problem being experienced by theWIDS node, various alarm indicators, the time of the first event beingrecorded, the time of the last time the event was recorded, the statusof any responses to previous alarm indicators, a comment, and anindication of the last time that the abnormal WIDS node entry in thedatabase was modified.

TABLE 12 Alarm_Types Element Description id an auto increment number asprimary key name the name of the alarm type, so far have “Device_down”,“Config_Changed” description the description of the alarm type;

Table 12 defines the data fields contained in the Alarm_Types schema 918shown in FIG. 9, which contains data elements related alarms. This caninclude, for example, the name of the alarm type and its description.

TABLE 13 Known_AccessPoint_Alarms Element Description id an autoincrement number as primary key alarm_type the FK of the table whichpoints to the Alarm_Types table to see what type of alarm this record isstatus this is a flag to see if this record has been CLOSED or stillOPEN total_alarm accumulates the occurrences of the same Known AP'salarm first_seen marks the first time when this alarm was detectedlast_seen marks the last time when this alarm is detected device_idwhich device detected this alarm

Table 13 defines the data fields contained in theKnown_AccessPoints_Alarms schema 928 shown in FIG. 9, which containsdata elements related to alarms for known access points. This caninclude, for example, the type of the alarm, the status of theparticular record associated with the alarm, the total number of alarmsfor the same known access point, the time of the first alarm beingrecorded, the time of the last time the alarm was recorded, and the WIDSnode that detected the alarm.

TABLE 14 Known_AccessPoints Element Description id an auto incrementnumber as primary key mac the mac of the Access Point ssid the ssid ofthe Access Point ip the ip address of the Access Point channel thechannel this Access Point uses description Any useful information aboutthe Access Point vendor the vendor of this known Access Pointcustomer_id which customer owns this Access Point active if the knownAccess Point is no longer exist it will be NOT ACTIVE, otherwise it willbe ACTIVE

Table 14 defines the data fields contained in the Known_AccessPointsschema 940 shown in FIG. 9. Information about the known access pointsthat is entered into the database can include the MAC address, the SSID,the IP address, the channel used by the known access point, a textdescription, a field identifying the customer that owns the known accesspoint, and a flag indicating whether the known access point is active.

TABLE 15 Known_Clients Element Description id an auto increment numberas primary key mac the mac of the Client ssid the ssid of the Client ipthe ip address of the Client channel the channel this Client usesdescription any useful information about the Client client_name thedescriptive name for this Client customer_id which customer owns thisClient active if the known Client is no longer exist it will be NOTACTIVE, otherwise it will be ACTIVE

Table 15 defines the data fields contained in Known Clients schema 936shown in FIG. 9. Information about the known clients that is enteredinto the database can include the MAC address, the SSID, the IP address,the channel used by the known client, a text description, a fieldidentifying the client name, a field identifying the customer that ownsthe known client, and a flag indicating whether the known client isactive.

TABLE 16 Customers Element Description id an auto increment number asprimary key name the name of the customer description any usefulinformation about the customer active if the Customer is no longerexists it will be NOT ACTIVE, otherwise it will be ACTIVE created_datemarks the first time when this customer record is created

Table 16 defines the data fields contained in Customers schema 932 shownin FIG. 9, which can information such as the name of the customer, atext description, a flag indicating whether the customer exists, and thedate the customer record was created.

TABLE 17 POC Element Description id an auto increment number as primarykey title the title of user firstname the first name of the userlastname the last name of the user address the address of the user cityregistration information state registration information countryregistration information zipcode registration information phone1registration information phone2 registration information faxregistration information email registration information pagerregistration information role_cust_client if the user is a CustomerClient this field will be set as 1 role_cust_admin if the user is aCustomers Admin this field will be set as 1 role_sys_field if the useris a System Field Engineer this field will be set as 1 role_sys_admin ifthe user is a System Root Engineer this field will be set as 1 active ifthe user is no longer exist, it will be set as NOT ACTIVE, otherwise itwill be ACTIVE created_date marks the time when this user record wascreated

Table 17 defines the data fields contained in Point of Contact (POC)schema 944 shown in FIG. 9. POC information about the user can includethe title, first name, last name, address, phone numbers, a set of flagsindicating the role of the user, a flag indicating whether the userexists, and the date the user record was created.

TABLE 18 Authenticated_ips Element Description id an auto incrementnumber as primary key ip_address the IP address which is legal foraccessing the collector application host_name the host name descriptionany useful information about the entry active describes if theauthenticated IP is still active or not

Table 18 defines the data fields contained in Authenticated_ips schema952 shown in FIG. 9, which is used to store the authenticated Ethernethosts that can access the web server associated with the wirelessnetwork of interest. The entries in the database associated with thisschema can include the IP address of the host, the host name, a textdescription, and a flag indicating whether the host is active.

TABLE 19 Userlog Element Description id an auto increment number asprimary key login_time records each user's login time whenever theylogged into the system poc_id records the user id authen_ip_id recordswhich remote authenticated host the user came from

Table 19 defines the data fields contained in Userlog schema 948 shownin FIG. 9, which is used to track the user login data. The entries inthe database associated with this schema can include the user's logintime, the user's identification, and the host from which the user loggedin.

FIG. 10 is a depiction of an exemplary structure for an implementationof a user interface to a WID system using the worldwide web. Such a webserver interface would allow access to alarm monitoring and systemmanagement information contained in the WIDS collector. The interfacefully controls system access level to the WIDS collector, and presentsto both customers and administrative personnel a well establishedwireless event monitoring and management center.

The main page, shown as web page 1002, consists of a header menu and awelcome message, along with possibly other introductory information. Webpage 1004 is a login page, where various users could access informationabout the WID system. In an embodiment, a user would login to access theWID system over the Internet. Alternatively, the user could login toaccess the WID system over a private network, such as a corporateintranet. A user can have one or more authorization levels. In anembodiment, the authorization levels can include a customer client,customer administrator, field engineer, or root administrator. Acustomer client or customer administrator can be associated withdifferent groups or business units within the customer organization.

After logging in, a user could check on numerous types of information,with the specific information available to each user being dependent onthe user's login authorization level.

The system functionalities can be divided into four main areas:

(1) Customer Client Level interface 1006 provides access to thefollowing functions and accessibility:

-   -   View IDS events 1008: This page will display all the IDS events.        It may contain a criteria form, which, in one embodiment, can        include the following database elements: event_type, devices,        dayindex, specific mac or ssid, and a list of choice of sorting        methods. Additional criteria can be added as necessary.    -   View unknown access points 1010: This page displays unknown        access points and their occurrences, and allows users to fill in        the response upon observation and analysis, which allows a user        to insert a user comment about that access point. In one        embodiment, a popup window could be used to provide this        functionality. This page is populated by a sweep of the        Unknown_AccessPoints table in the database.    -   View unknown clients 1012: This page displays clients who have        attempted access to the wireless network and their occurrences,        and allows users to fill in the opinion upon observation and        analysis. In one embodiment, a popup window could be used to        provide this functionality. This page is populated by a sweep of        the Unknown_Clients table in the database.    -   View known access points 1014: This page displays known access        points that belong to the customer and their occurrences.    -   View known clients 1016: This page displays known clients that        belong to the customer and their occurrences.    -   View WIDS node health status 1018: This regularly updated page        displays the current status of all WIDS nodes and indicates any        abnormalities detected at any of the WIDS nodes. An abnormal        WIDS node report button will allow the user to create a printed        report of abnormal WIDS nodes. In an embodiment, this page is        updated every five minutes, although the update rate can be        adjusted to meet the specific needs of the customer.    -   View unhealthy WIDS nodes 1020: This page displays unhealthy        WIDS nodes that have already been reported to users by the WID        system, and provides an update button and several status        indicators to allow users to update the status of any unhealthy        WIDS nodes.    -   Report interface 1024: This page allows a customer to create        various reports, including, for example, hourly, daily, weekly,        or monthly reports. It also allow a customer to generate        summaries and graphics indicative of the various data reported        by the WID system.

(2) Customer Administrator Level interface 1028 (which includes all ofthe Customer Client Level privileges described above) provides access tothe following additional functions and accessibility:

-   -   Known Access Points List Management 1030: This interface allows        a customer to add new known access points, or        activate/deactivate the currently identified access point in the        list of known access points.    -   Known Clients List Management 1032: This interface allows a        customer to add new known clients, or activate/deactivate the        currently identified client in the known clients list.    -   Customer Client Level User Management 1034: This interface        allows a customer to control its customer client accounts,        including, for example, adding new users, or        activating/deactivating a user identified in the point of        contact (POC) list associated with the role of customer client.

(3) Field Engineer Level interface 1036 (which includes all of theCustomer Client Level and Customer Administrator Level privilegesdescribed above) provides access to the following additional functionsand accessibility:

-   -   Customer Administration Level User Management 1038: This        interface allows a field engineer to control customer        administrator accounts, including, for example, adding new        users, or activating/deactivating a user identified in the point        of contact (POC) list associated with the role of customer        administrator.    -   Customer Management 1040: This interface allows a field engineer        to add new customers or activate/deactivate the currently        selected one in a customer list.    -   Device Management 1042: This interface allows a field engineer        to add new devices or activate/deactivate the currently selected        one in a device list.

(4) Root Administrator Level interface 1044 (which includes allprivileges described above for the Customer Client Level, CustomerAdministrator Level, and Field Engineer Level) provides access to thefollowing root level functions and accessibility:

-   -   Field Engineers Management 1046: This interface allows a root        administrator to add new field engineers or activate/deactivate        the current one in the POC list associated with the role of        Network field admin.    -   Root User Management 1048: This interface allows a root        administrator to add new root users or activate/deactivate the        currently selected one in a POC list associated with the role of        root administrator.    -   Ethernet (EN) Network Access Management 1050: This interface        allows input from management console to apply configuration        changes to packet filter or firewall configuration. Effect is to        limit availability of access to the administrative web server to        only authorized hosts or network segments.    -   EN Packet filter configuration 1052: Collector Ethernet network        access controls and restrictions. Input from management console        applies configuration changes to packet filter or firewall        configuration. Effect is to limit availability of access to the        administrative web server to only authorized hosts or network        segments.    -   Packet radio (PR) network access management 1054: 900 Mhz radios        implement frequency-hopping and pseudo-random numbers as seed to        provide link-level authentication unique to a given deployed        network.    -   WIDS collector firmware update 1056: This interface allows input        from the management console to upload firmware upgrades to the        WIDS collector.    -   WIDS nodes firmware update 1058: This interface allows input        from the management console to upload firmware upgrades to the        nodes.    -   Database administrator interface 1060: This interface allows        input from the management console to perform database        administration.    -   Upload new files to web server 1062: This interface allows input        from the management console to install files onto the WIDS        collector web server.    -   Hostname, Domain configuration 1064: This interface allows input        from the management console to change the identification        information of the WIDS collector.    -   Network configuration interface (Dynamic Host Configuration        Protocol (DHCP) or manual address configuration) 1066: This        interface allows input from the management console to configure        WIDS collector network settings.    -   VPN Configuration 1068: This interface allows input from the        management console to configure Virtual Private Network settings        on the WIDS collector, if used.    -   Port administration 1070: This interface allows input from the        management console to modify TCP port assignments on the WIDS        collector to, for instance, assign the web server access on port        4000 instead of 80 (default).    -   SNMP management 1072: Provides the following services—1)        specifies community string; 2) A checking list for appropriate        packet filter rules; 3) Cryptographic hash, also display to hint        user to enter this into their EMS.    -   SNMP event reporting 1074: Specifies IP address of SNMP trap        loghost(default set as localhost).    -   Node Configuration 1076: 1) Manual selection of master node; 2)        Debug mode toggle.    -   View userlog data 1078: This interface allows viewing from the        management console of the log of WIDS collector access attempts        by users.

According to the different access levels listed above, a POC table thatmaintains the roles of users is created in the database depicted in FIG.9. The POC table allows the WID system to manage the level of access ofeach user. Via entry of a username and associated passwordauthentication, the corresponding privileges will be granted to eachspecific user. Attempts to access different levels within the web pagethat are outside of the specific privileges associated with a user cancause a login window to appear, which will prompt the users to enteradditional authentication information to gain the access to a specificlevel.

The previous description of the disclosed embodiments is provided toenable any person skilled in the art to make or use the presentinvention. Various modifications to these embodiments will be readilyapparent to those skilled in the art, and the generic principles definedherein may be applied to other embodiments without departing from thespirit or scope of the invention. Thus, the present invention is notintended to be limited to the embodiments shown herein but is to beaccorded the widest scope consistent with the principles and novelfeatures disclosed herein.

1-6. (canceled)
 7. A method, performed by one or more components of anode, comprising: observing by the one or more components, a channel ina wireless network for a predetermined amount of time; parsing, by theone or more components, all packets transmitted on said channel;identifying, by the one or more components, protocol information in eachof said parsed packets; comparing, by the one or more components, saididentified protocol information to known patterns associated with an adhoc network; and determining, by the one or more components and based ona result of the comparing, that the ad hoc wireless network exists.
 8. Amethod as in claim 7 where said predetermined amount of time is lessthan 60 seconds.
 9. A method as in claim 7, where said predeterminedamount of time is approximately two seconds.
 10. A method as in claim 7,where said protocol information comprises a device identifier for afirst network device associated with the ad hoc network.
 11. A method asin claim 10, where said device identifier is a Basic Service SetIdentifier (BSSID).
 12. A method as in claim 11, where said BSSIDcomprises a random number generated by a second network device of the adhoc network.
 13. (canceled)
 14. A system, comprising: means forobserving a channel in a wireless network for a predetermined amount oftime; means for parsing a plurality of packets transmitted on saidchannel; means for identifying protocol information in each of saidparsed packets; means for comparing said identified protocol informationto a plurality of known patterns; and means for determining, based on aresult of the comparing, whether said packets were transmitted over saidwireless network or an ad hoc network associated with at least one ofthe plurality of known patterns.
 15. (canceled)
 16. (canceled)
 17. Awireless intrusion detection system (WIDS) node, comprising: means forcreating a state transition table for one or more detected wirelessaccess devices in a wireless network, the state transition tableincluding a first entry indicative of a first state of a communicationsession, via the wireless network, between the one or more detectedwireless access devices and at least one device, where the first stateis defined based on an identity of the one or more detected wirelessaccess devices and a type of at least one packet identifying the one ormore detected wireless access devices; means for observing a pluralityof packets sent by each of said one or more detected wireless accessdevices; means for identifying, based on said observing said pluralityof packets, a state change, from the first state, for at least one ofsaid one or more detected wireless access devices, when types of theplurality of packets differ from the type of the at least one packet andwhen the plurality of packets have sources and/or destinations otherthan the at least one device; and means for reporting said identifiedstate change to a WIDS collector.
 18. A wireless intrusion detectionsystem (WIDS) collector, comprising: means for receiving, from one ormore WIDS nodes in a wireless network, reports of state changes from afirst state of operation of a wireless access device, where the firststate is defined as an identity of at least one device in communicationwith the wireless access device and a type of a packet that identifiesthe wireless access device; and means for determining, based on saidstate changes, whether a particular activity, of a set of activities,has occurred within the wireless network.
 19. A WIDS collector as inclaim 18, where said means for determining activity determines whether asecurity violation has occurred.
 20. A WIDS collector as in claim 19,where said security violation comprises a spoof attack.
 21. A WIDScollector as in claim 19, where said security violation comprises anillegal state change.
 22. A WIDS collector as in claim 18, where saidmeans for determining activity determines whether an ad hoc network ispresent.
 23. The method of claim 12, where the second network device isan initial member of the ad hoc network and the BSSID does not include amedia access control (MAC) address for the first network device
 24. Thesystem of claim 14, where the means for comparing compares theidentified protocol information for a particular one of the parsedpackets, where the identified protocol information comprises BasicService Set Identifier (BSSID) of a first network device associated withthe particular parsed packet.
 25. The system of claim 24, where themeans for determining determines that the particular parsed packet wastransmitted over said wireless network, when the BSSID corresponds to amedia access control (MAC) address of the first network device, or overthe ad hoc network, when the BSSID comprises a number of random bits.26. The system of claim 25, where the number of random bits aregenerated by a second network device, where the second network devicecomprises an initial member of the ad hoc network.
 27. The WIDS node ofclaim 17, further comprising: means for determining whether theidentified state change corresponds to a next state transition that isprescribed or proscribed by a wireless network standard, where the meansfor reporting said identified state change only reports the identifiedstate change to the WIDS collector when the next state transition isproscribed by the wireless network standard.
 28. The WIDS node of claim28, further comprising: means for determining, when the next statetransition is proscribed by the wireless network standard, a type ofprohibited activity associated with the next state transition.
 29. TheWIDS node of claim 28, where the type of prohibited activity comprisesat least one of a security violation, communication with an intruder tothe wireless network, or anomalous behavior by the wireless accessdevice.